SYNOPSIS

DESCRIPTION

mxallowd
is a daemon which uses libnetfilter_queue (on Linux) or pf and pflog (on BSD) to allow (or deny) connections to a mailserver (or similar application) if the remote host hasn't connected to a fake daemon before.

This is an improved version of the so-called nolisting (see http://www.nolisting.org/). The assumption is that spammers are not using RFC 2821-compatible SMTP-clients and are sending fire-and-forget spam (directly to the first or second MX-entry without retrying on error). This direct access is blocked with mxallowd, you'll only get a connection if you retry.

NOTE: It is highly recommended to install nscd (nameserver caching daemon) or a similar software in order to speed-up DNS lookups. Since version 1.3, DNS lookups are done in a thread (so they don't block the main process), however, on very-high-traffic-sites, mxallowd may show significantly better overall performance in combination with nscd.

OPTIONS

-b, --no-rdns-whitelist

Disable whitelisting all IP-addresses that have the same RDNS as the connecting one (necessary for google mail)

EXAMPLES FOR NETFILTER

The machine has two IP-addresses. The mailserver only listens on 192.168.1.4, the nameserver returns the mx-records mx1.domain.com (192.168.1.3) with priority 5 and mx2.domain.com (192.168.1.4) with priority 10.

Then open a separate terminal and connect via telnet on your real mailserver. You'll see the connection attempt being dropped. Now connect to the fake mailserver and watch mxallowd's output. Afterwards, connect to the real mailserver to verify your mailserver is still working.

EXAMPLES FOR PF

The machine has two IP-addresses. The mailserver only listens on 192.168.1.4, the nameserver returns the mx-records mx1.domain.com (192.168.1.3) with priority 5 and mx2.domain.com (192.168.1.4) with priority 10.

Then open a separate terminal and connect via telnet on your real mailserver. You'll see the connection attempt being dropped. Now connect to the fake mailserver and watch mxallowd's output. Afterwards, connect to the real mailserver to verify your mailserver is still working.

The ruleset for pf is actually longer because pf does more than netfilter on linux -- netfilter passes the packets and lets mxallowd decide whether to drop/accept whilst pf blocks/passes before even "passing" to mxallowd.